Objective 6.1 – Configure and manage logical Load Balancing

Principles

• Differentiate when to use the two topologies for load balancing
• Understand how to configure load balancing
• Configure and understand service monitors
• Understand how to Add/Edit/Delete a server pool
• Understand how to Add/Edit/Delete an application profile
• Understand how to Add/Edit/Delete virtual servers
• Determine appropriate NSX Edge instance size based on load balancing requirements

References

1. NSX Administration Guide

http://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

1. NSX Installation Guide

https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_install.pdf

1. NSX Design Guide

Differentiate when to use the two topologies for load balancing

In-Line Load Balancing

• Also known as Transparent Mode
• Deployed in line with workload traffic – i.e. all workload traffic must pass through it regardless of whether it requires load balancing

• Default Gateway for workload VMs is the Load Balancer itself
• Incoming traffic to the VIP is translated to the server IP through Destination NAT
• Responses from the server to client are subject to a Source NAT
• With this method the Client IP is preserved – i.e. there no Source NAT on the incoming traffic to the VIP and so the workload server has full visibility of the client

Proxy Load Balancing

• Also known as one-arm mode
• Deployed alongside workload VMs (servers) on the same subnet

• Load Balancer performs both a Source NAT and Destination NAT for client traffic
• Server is not aware of the actual IP address of the client – can pose difficulties for SSL
• Reverse traffic must pass through the Load Balancer (as incoming traffic has SNAT applied)
• Load Balancer can insert original Client IP into HTTP packets through the “X-Forwarded-For” HTTP Header

Understand how to configure load balancing

Pre-requisites

• Load Balancing is configured on an NSX Edge
• The Edge firewall must be enabled for load balancing to work
• VIPs can be configured directly on Interfaces or as secondary IPs

Go to Edge -> Manage -> Interfaces and add Secondary IPs to the Interface hosting the server Virtual IPs (VIPs)

From the Load Balancer -> Global Configuration tab click Edit and Enable the Load Balancer

Order of configuration

1. Configure Application Profiles
2. Add a Service Monitor (optional).
   • Sample monitors are provided out of the box for HTTP/S and TCP
3. Add 1 or more Server Pools and apply and previously defined Service Monitors
   • Add 1 or more members to the pool – set monitor for any applied Service Monitors
4. Add Application Rules (Optional)
   • Add 1 more application rules to be applied to a Virtual Server
   • Rules follow HAProxy syntax: http://cbonte.github.io/haproxy-dconv/1.9/configuration.html#7
5. Add a Virtual Server

Configure and understand service monitors

Sample monitors are provided out of the box for HTTP/S and TCP

Understand how to Add/Edit/Delete a server pool

Algorithm = ROUND-ROBIN, IP-HASH, LEASTCONN, URI, HTTPHEADER, URL

Add 1 or more members to the pool – set monitor for any applied Service Monitors

Understand how to Add/Edit/Delete an application profile

Application Profile Types:

• TCP: TCP-based load balancing.
• UDP: UDP-based load balancing.
• HTTP: HTTP-based load balancing.
• SSL Passthrough: AppRules related to SSL attributes are allowed without requiring SSL termination on Load Balancer.
• HTTPS Offloading: HTTP-based load balancing; SSL is terminated on LB and HTTP is used between LB and pool.
• HTTPS End-To-End: HTTP-based load balancing; SSL is terminated on LB and HTTPS is used between LB and pool.

Understand how to Add/Edit/Delete virtual servers

• • Select Application Profile
  • IP Address (from secondary IPs configured earlier)
  • Protocol
  • Port
  • Application Rules (optional)

Acceleration

• A Load Balancer has 2 engines: L4 (TCP) and L7 (HTTP/HTTPS)
• Acceleration is applied on L4 services only
• L4 is faster than L7 because it processes packets before the Edge Firewall, hence no “Allow” rule is required for traffic destined for an accelerated VIP
• L7 traffic is processed after the traffic goes through the Firewall and so an “Allow” rule must be configured for that service VIP
• The firewall should be enabled in either case for load balancing to work

Determine appropriate NSX Edge instance size based on load balancing requirements

Configuration Parameter	Max for Compact, Large and Quad Large Load Balancers	Max for X-Large Load Balancers
VIPs	64	1024
Pools	64	1024
Servers per pool	32	32
Health Checks	320	3072
Application Rule Size (characters)	4096	4096

Common CLI Commands

• Firewall must be enabled for LB to work

show firewall

• NAT requires Firewall and is used in LB

show nat

• Check LB is running

show service loadbalancer

• View LB Session Table

show service loadbalancer session

• View LB configuration

show configuration loadbalancer

• View Virtual Pool statistics

show configuration loadbalancer virtual [virtual-server-name]

• Show Server Pool object statistics

show configuration loadbalancer pool [pool-name]

• Show Service Monitor Status

show configuration loadbalancer monitor [monitor-name]

• Show Application Profiles

show configuration loadbalancer profile [profile-name]

Show Application Rules
show configuration loadbalancer rule [rule-name]